IBM Endpoint Manager Version 9.2. Patch Management for SUSE Linux Enterprise User's Guide

IBM Endpoint Manager

Version 9.2

Patch Management for SUSE Linux

Enterprise

User's Guide

IBM Endpoint Manager

Version 9.2

Patch Management for SUSE Linux

Enterprise

User's Guide

Note

Before using this information and the product it supports, read the information in “Notices” on page 61.

This edition applies to version 9, release 2, modification level 0 of IBM Endpoint Manager (product number 5725-C45) and to all subsequent releases and modifications until otherwise indicated in new editions.

© Copyright IBM Corporation 2003, 2015.

Contents

Chapter 1. Overview

. . . 1

What's new in this update release . . . 1

Supported platforms and updates . . . 2

Supported packages . . . 3

Site subscription . . . 4

Download plug-ins . . . 4

SUSE Download cacher . . . 4

Patching methods. . . 5

Chapter 2. Manage Download Plug-ins

dashboard overview . . . 9

Registering the SUSE download plug-in . . . 10

Unregistering the SUSE download plug-in . . . . 13

Configuring the SUSE download plug-in . . . . 14

Migrating the SUSE download plug-in . . . 16

Upgrading the SUSE download plug-in . . . 18

Chapter 3. Custom repositories

management . . . 21

SLE Custom Repository Management dashboard . . 22

Adding a repository or SMT. . . 23

Registering endpoints to a repository or SMT . . . 25

Unregistering endpoints from a repository or SMT 26 Deleting repositories or SMTs . . . 27

Importing repositories or SMTs . . . 27

Installing packages from a custom repository . . . 28

Chapter 4. Using Patch Management

for SUSE Linux Enterprise . . . 31

Patching using Fixlets . . . 31

Viewing deployment results . . . 35

Manage Preference Lists . . . 37

Using the Preference Lists Dashboard . . . 37

Retrieving installed RPM package information. . . 43

Chapter 5. SLE Btrfs snapshot

management . . . 45

SLE Btrfs Snapshot Management dashboard overview . . . 45

Rolling back a snapshot . . . 47

Appendix A. Support. . . 49

Appendix B. Troubleshooting . . . 51

Appendix C. Frequently asked

questions

. . . 55

Notices

. . . 61

Trademarks . . . 63

Chapter 1. Overview

The IBM Endpoint Manager for Patch Management solution, which includes deploying a multi-purpose, lightweight agent to all endpoint devices, supports a wide variety of device types ranging from workstations and servers to mobile and point-of-sale (POS) devices.

What's new in this update release

This release of IBM Endpoint Manager for Patch Management contains several new features and enhancements.

Table 1. What's new

Enhancement or Feature Description Resources

Package installation task Custom repositories can give you the flexibility to control what you can deploy on the endpoints in your

environment. For example, you can deploy custom software that you are hosting in your custom repositories. Use the Install packages by using zypper task to install software that is in your custom repositories. This task is enhanced to allow you to update all the packages on the endpoint and to install packages based on CVE number. The Install packages by using zypper task is available on the Patching Support site.

Chapter 3, “Custom repositories management,” on page 21

“Installing packages from a custom repository” on page 28

SLE Btrfs Snapshot Management

Manage Btrfs filesystem snapshots for endpoints that are using SUSE Linux Enterprise versions 11 SP2 and later. IBM Endpoint Manager provides the SLE Btrfs Snapshot Management dashboard to allow you to manage root snapshots with the rollback feature to restore to a previous system state.

The SLE Btrfs Snapshot Management dashboard is available on the Patching Support site.

Chapter 5, “SLE Btrfs snapshot management,” on page 45 “SLE Btrfs Snapshot Management dashboard overview” on page 45 “Rolling back a snapshot” on page 47

SLE Custom Repository Management dashboard enhancements

The repository registration feature in the SLE Custom

Repository Managementdashboard now allows you to enable autorefresh and URI checks.

Previous updates

Table 2. Previous updates

Enhancement or Feature Description Resources

Custom repository support IBM Endpoint Manager now supports custom repositories and the Subscription Management Tool (SMT) for

patching SUSE Linux Enterprise Desktop and SUSE Linux Enterprise Server version 11 endpoints.

Support for custom repositories for patch management uses existing local repository mirrors and extended support channels to download patches. This solution can also be used to deliver custom software through IBM Endpoint Manager. For more information, see Chapter 3, “Custom repositories management,” on page 21.

Chapter 3, “Custom repositories management,” on page 21

Package manager native command-line interface support

Zypper, which is the default package manager for SLE, replaces the Endpoint Dependency Resolver (EDR) utilities that Patch Management for SLE previously used. Zypper gives you more flexibility in terms of patch deployment and provides results that are in parallel with SLE solutions. Use the Patches for SLE 11 Native Tools site to patch SLE 11 systems because Zypper reduces dependency issues, improves performance, and is more reliable in terms of installing security patches. For more information, see “Patching methods” on page 5.

“Patching methods” on page 5

Supported platforms and updates

IBM®_{Endpoint Manager for Patch Management supports a wide range of SUSE}

Linux Enterprise platforms and updates.

Endpoint Manager provides Fixlet content for Novell updates that are under general support. If you acquired the Long Term Service Pack Support (LTSS) and require such content, contact IBM Professional Services.

Table 3. Supported platforms and patches for the Patch Management for SUSE

Fixlet Site Name Supported Platform Type of Update

Patches for SLE10 SUSE Linux Enterprise Desktop 10 SP3 and SP4 (x86, x86_64)

v _Mandatory v _Recommended v _Optional SUSE Linux Enterprise Server 10

SP3 and SP4 (x86, x86_64) Patches for SLE11 SUSE Linux Enterprise Desktop

11 SP1, SP2, and SP3 (x86, x86_64)

SUSE Linux Enterprise Server 11 SP1, SP2, and SP3 (x86, x86_64) Patches for SLE10

System Z

SUSE Linux Enterprise Server 10 SP3 and SP4 (s390x)

Patches for SLE11 System Z

Table 3. Supported platforms and patches for the Patch Management for SUSE (continued)

Fixlet Site Name Supported Platform Type of Update

Patches for SLE 11 Native Tools

SUSE Linux Enterprise Desktop 11 SP1, SP2, and SP3 (x86, x86_64)

See “Supported packages” to view the list of Novell repositories that contain the supported packages. SUSE Linux Enterprise Server 11

SP1, SP2, and SP3 (x86, x86_64) Linux RPM Patching Previously listed supported

platform versions.

Previously listed updates.

Note: Endpoint Manager no longer releases new content Fixlets for SUSE Linux Enterprise Desktop (SLED) 10 and SUSE Linux Enterprise Server (SLES) 10 since Novell ended their general support on July 31, 2013. However, Endpoint Manager still supports the content Fixlets that were released before this date. If you acquired extended support with Novell and require Fixlets for the SLES and SLED 10 updates, contact IBM Professional Services.

To install x86 or x86_64 SUSE patches, subscribe to the Patches for SLE10, Patches for SLE11, and Linux RPM Patching sites. To install SUSE patches for System Z (s390x) endpoints, subscribe to the Patches for SLE10 System Z, Patches for SLE11 System Z and Linux RPM Patching sites.

Important: A download plug-in for SUSE must be registered before deploying patches from the Endpoint Manager console. For more information about

registering the download plug-in, see “Registering the SUSE download plug-in” on page 10.

Supported packages

Patch Management for SUSE Linux Enterprise supports the packages in several Novell repositories.

The following table lists the repositories that contain the supported packages for the Patches for SLE 11 Native Tools site.

Table 4. Supported Novell repositories and packages

Operating System and Service Pack Level Repository Name

SUSE Linux Enterprise Server 11 SP3 SLES11-SP3-Pool SLES11-SP3-Updates SUSE Linux Enterprise Server 11 SP2 SLES11-SP1-Pool

SLES11-SP1-Updates SLES11-SP2-Core SLES11-SP2-Updates SUSE Linux Enterprise Server 11 SP2 SLES11-SP1-Pool

SLES11-SP1-Updates SUSE Linux Enterprise Server 11 SLES11-Pool

SLES11-Updates SLES11-Extras SUSE Linux Enterprise Desktop 11 SP3 SLED11-SP3-Pool

Table 4. Supported Novell repositories and packages (continued)

Operating System and Service Pack Level Repository Name

SUSE Linux Enterprise Desktop 11 SP2 SLED11-SP1-Pool SLED11-SP1-Updates SLED11-SP2-Core SLED11-SP2-Updates SUSE Linux Enterprise Desktop 11 SP1 SLED11-SP1-Pool

SLED11-SP1-Updates SUSE Linux Enterprise Desktop 11 SLED11-Pool

SLED11-Updates SLED11-Extras

Site subscription

Sites are collections of Fixlet®messages that are created internally by you, by IBM, or by vendors.

Subscribe to a site to access the Fixlet messages to patch systems in your deployment.

You can add a site subscription by acquiring a masthead file from a vendor or from IBM or by using the License Overview Dashboard. For more information about subscribing to Fixlet sites, see the IBM Endpoint Manager Installation Guide.

For more information about sites, see the IBM Endpoint Manager Console Operator's

Guide.

Download plug-ins

Download plug-ins are executable programs that download a specified patch from the website of the patch vendor. To ease the process of caching, Fixlets have an incorporated protocol that uses download plug-ins.

For the Fixlet to recognize the protocol, the related download plug-in must be registered. You must use the Manage Download Plug-ins dashboard to register the download plug-in. After you register the plug-in, you can run the Fixlets to download, cache, and deploy patches from the IBM Endpoint Manager console.

If you already registered the plug-in, you can use the Manage Download Plug-ins dashboard to run the update. You must use the dashboard also to unregister and configure the download plug-in. For more information about the dashboard, see the topic on Manage Download Plug-ins dashboard overview.

Note: If you install the download plug-in on relays, it is recommended that you also install it on the server.

SUSE Download cacher

The SUSE Download Cacher is command-line tool that is designed to

automatically download and cache SUSE patches on the IBM Endpoint Manager server to facilitate the deployment of SUSE Fixlets.

tool if you want to cache all the downloads for faster execution of actions. Otherwise, use the download plug-in. The preferred method of SUSE patch caching is to register the SUSE Download Plug-in from the Manage Download Plug-ins dashboard. For more information about registration, see “Registering the SUSE download plug-in” on page 10.

The tool uses FTP to download large .zip files and by default, stores them in the sha1 cache folder. You can also choose to store the files in a different existing directory. Your environment must be configured to accept FTP use.

You can access the tool by downloading and running it manually. For more information, see the technote in http://www-01.ibm.com/support/

docview.wss?uid=swg21506059.

Patching methods

IBM Endpoint Manager offers more flexibility to the patch management solution by providing patching options that cater to your needs.

IBM Endpoint Manager provides several different methods to manage patches for SUSE Linux Enterprise.

Patching by using the Endpoint Dependency Resolution (EDR)

method

Endpoint dependency resolution (EDR) is an approach to UNIX patching where dependencies for bulletins are calculated dynamically during an action run time. Packages are patched regardless of which packages are already installed on the endpoints.

The following sites use the EDR method: v _{Patches for SLE10}

v _{Patches for SLE11}

v _{Patches for SLE10 System Z} v _{Patches for SLE11 System Z}

The EDR method uses a dependency resolution tool that requires dependencies of all of the installed packages on the system to be satisfied. To view the EDR results, see the EDR_DeploymentResults.txt file that is located in the directory <client

folder>\EDRDeployData\.

With this approach, you can deploy preference lists to endpoints from the

Preference Lists Dashboard in the Linux RPM Patching site. For more information about preference lists, see “Manage Preference Lists” on page 37.

When dependencies are resolved on the endpoints, there might be multiple valid sets of dependencies that satisfy the requirements of the targets. Preference lists help to decide which requirements to satisfy in these situations. For more information about the dashboard, see “Using the Preference Lists Dashboard” on page 37.

Patching by using the native tools (Zypper) method

Zypper is the default package manager for SUSE Linux Enterprise. It gives you more flexibility in terms of patch deployment and in providing results that are suitable for SUSE Linux Enterprise solutions. It uses a command-line interface and simplifies the process of installing, uninstalling, updating, and querying software packages. It is based on ZYpp, also known as libzypp. For more information about Zypper, see the documentation at http://www.suse.com or see the Novell Support website at https://www.novell.com/support/.

Zypper reduces dependency issues, improves performance, and is more reliable in terms of installing security patches. This method also enables you to use custom repositories for patching. For more information on custom repository support, see Chapter 3, “Custom repositories management,” on page 21.

The Zypper approach is introduced to replace the EDR utilities that Patch

Management for SUSE Linux Enterprise previously used. Subscribe to the Patches

for SLE 11 Native Tools site to use the Zypper method.

The Zypper native tools implementation has an external dependency on the expect utility. Endpoint Manager provides a task to install the expect utility on systems that are configured with Zypper repositories. Task ID 101: Install expect is available from the Patches for SLE 11 Native Tools site.

Zypper utility configuration settings

The Patches for SLE 11 Native Tools site uses all the settings in /etc/zypp/zypp.conf.

The following Zypper configuration settings are set to values that come from another file, which is dynamically created during Fixlet execution: v _cachedir v _configdir v _metadatadir v _packagesdir v _reposdir v _{repo.add.probe} v _{repo.refresh.delay} v _solvfilesdir

Identifying file relevance with Native tools content

The native tools captures file relevance in the same way as EDR. Both methods check for the relevance clause exist lower version of a

package, but not exist higher version of it. If both tools are applied to the same deployment, the relevance results are the same.

Patching method matrix

The following table lists the applicable sites and features for each of the patching methods that are available for managing your SUSE Linux Enterprise endpoints.

Patching method Applicable sites Applicable features

Endpoint Dependency Resolution (EDR)

v _{Linux RPM Patching} v _{Patches for SLE10} v _{Patches for SLE11}

Patching method Applicable sites Applicable features

Native tools (Zypper) v _{Patching Support}

v _{Patches for SLE 11 Native} Tools

v _{Download Plug-ins} v _{Custom Repository}

Chapter 2. Manage Download Plug-ins dashboard overview

Use the Manage Download Plug-ins dashboard to oversee and manage download plug-ins in your deployment.

You can use the Manage Download Plug-ins dashboard to register, unregister, configure, and upgrade the download plug-ins for different patch vendors. For more information about these features, see the following topics.

Note: For Windows 2008 and Windows 2012 R2, you must install the latest version of Shockwave Flash Object to ensure that the dashboard displays properly.

You must subscribe to the Patching Support site to gain access to this dashboard. To view the Manage Download Plug-ins dashboard, go to Patch Management

domain > All Patch Management > Dashboards > Manage Download Plug-ins.

The dashboard displays all the servers and windows-only relays in your

deployment. Select a server or relay to view all the plug-ins for that computer. The dashboard shows you also the version and status for each plug-in in one

consolidated view.

A plug-in can be in one of the following states: v _{Not Installed}

v _{New Version Available} v _Up-To-Date

v _{Not Supported}

Note: CentOS and SUSE Linux download plug-ins are not supported in relays.

The dashboard has a live keyword search capability. You can search based on the naming convention of the servers, relays, and plug-ins.

Registering the SUSE download plug-in

Use the Manage Download Plug-ins dashboard to register the download plug-in for SUSE Linux.

Before you begin

Note: SUSE Linux download plug-ins are not supported in relays.

v _{Subscribe to the Patching Support site to gain access to the Manage Download} Plug-ins dashboard.

v _{Enable the Encryption for Clients Fixlet on servers and relays for which you} want to register the download plug-in.

v _{Activate the Encryption Analysis for Clients analysis and Download Plug-in}

Versionsanalysis.

When you register the download plug-in on a computer without the plug-in, the plug-in is automatically installed and the configuration file is created.

If a download plug-in is already installed on the computer, the configuration file is overwritten.

Procedure

1. From the Patch Management domain, click All Patch Management >

Dashboards > Manage Download Plug-ins dashboard.

2. From the Servers and Relays table, select the server or relay on which the download plug-in is to be registered.

3. From the Plug-ins table, select SUSE Plug-in.

5. Enter the Novell credentials that you use to log on to the Novell Customer Center.

Novell Username

Your Novell account user name to the Novell Customer Center. It must have a valid support identifier to download patches.

Novell Password

Your Novell account password to the Novell Customer Center.

Confirm Novell Password

Your Novell account password for confirmation.

Large amounts of downloads through this channel might lock you out of your Novell account. Use the mirror server to prevent a temporary lock out from happening.

6. Optional: Enter the mirror parameters if you want the plug-in to download from a mirror server.

Mirror URL

The URL of your mirror server. It must be a well-formed URL, which contains a protocol and a host name. Leave the field blank to use the Novell mirror server: https://nu.novell.com.

Note: Ensure that you enter your Novell mirror server credentials. If you leave the following fields blank, the download plug-in uses the credentials for the Novell Customer Center instead.

Mirror Username

Your proxy user name if your mirror server requires authentication. It is usually in the form of domain\username.

Mirror Password

Your proxy password if your mirror server requires authentication.

Confirm Mirror Password

Your mirror password for confirmation.

7. Optional: Enter the proxy parameters if the downloads must go through a proxy server.

Proxy URL

The URL of your proxy server. It must be a well-formed URL, which contains a protocol and a host name. The URL is usually the IP address or DNS name of your proxy server and its port, which is separated by a colon. For example: http://192.168.100.10:8080.

Proxy Username

Your proxy user name if your proxy server requires authentication. It is usually in the form of domain\username.

Proxy Password

Your proxy password if your proxy server requires authentication.

Confirm Proxy Password

Your proxy password for confirmation. 8. Click OK. The Take Action dialog displays. 9. Select the target computer.

10. Click OK.

Results

You successfully registered the SUSE download plug-in.

Unregistering the SUSE download plug-in

Use the Manage Download Plug-ins dashboard to unregister the download plug-in for SUSE Linux.

Procedure

1. From the Patch Management domain, click All Patch Management >

Dashboards> Manage Download Plug-ins dashboard.

2. From the Servers and Relays table, select the server or relay on which the download plug-in is to be unregistered.

The Take Action dialog displays. 5. Select the target computer. 6. Click OK.

Results

You successfully unregistered the SUSE download plug-in.

Configuring the SUSE download plug-in

Use the Manage Download Plug-ins dashboard to configure the download plug-in for SUSE.

About this task

You might want to take note of your existing configuration for the download plug-in. Existing configurations are overwritten when you configure the download plug-in.

Procedure

1. From the Patch Management domain, click All Patch Management >

Dashboards > Manage Download Plug-ins dashboard.

2. From the Servers and Relays table, select the server or relay on which the download plug-in is to be configured.

3. From the Plug-ins table, select SUSE Plug-in.

5. Enter the Novell credentials that you use to log on to the Novell Customer Center.

Novell Username

Your Novell account user name to the Novell Customer Center. It must have a valid support identifier to download patches.

Novell Password

Your Novell account password to the Novell Customer Center.

Confirm Novell Password

Your Novell account password for confirmation.

Large amounts of downloads through this channel might lock you out of your Novell account. Use the mirror server to prevent a temporary lock out from happening.

6. Optional: Enter the mirror parameters if you want the plug-in to download from a mirror server.

Mirror URL

The URL of your mirror server. It must be a well-formed URL, which contains a protocol and a host name. Leave the field blank to use the Novell mirror server: https://nu.novell.com.

Note: Ensure that you enter your Novell mirror server credentials. If you leave the following fields blank, the download plug-in uses the credentials for the Novell Customer Center instead.

Mirror Username

Your proxy user name if your mirror server requires authentication. It is usually in the form of domain\username.

Mirror Password

Your proxy password if your mirror server requires authentication.

Confirm Mirror Password

Your mirror password for confirmation.

7. Optional: Enter the proxy parameters if the downloads must go through a proxy server.

Proxy URL

The URL of your proxy server. It must be a well-formed URL, which contains a protocol and a host name. The URL is usually the IP address or DNS name of your proxy server and its port, which is separated by a colon. For example: http://192.168.100.10:8080.

Proxy Username

Your proxy user name if your proxy server requires authentication. It is usually in the form of domain\username.

Proxy Password

Your proxy password if your proxy server requires authentication.

Confirm Proxy Password

Your proxy password for confirmation. 8. Click OK. The Take Action dialog displays. 9. Select the target computer.

10. Click OK.

Results

You successfully configured the SUSE download plug-in.

Migrating the SUSE download plug-in

You must migrate the SUSE Linux download plug-in if the plug-in version is earlier than 2.0.0.0. You only need to do this once. The download plug-in is upgraded to the latest version after migration.

About this task

Procedure

1. From the Patch Management domain, click All Patch Management >

Dashboards > Manage Download Plug-ins dashboard.

2. From the Servers and Relays table, select the server or relay on which the download plug-in is to be migrated.

3. From the Plug-ins table, select SUSE Plug-in.

4. Click Migrate. The Migrate SUSE Plug-in wizard displays.

5. Enter the Novell credentials that you use to log on to the Novell Support site.

Novell Username

Your Novell account user name to the Novell Support site. It must have a valid support identifier to download patches.

Novell Password

Your Novell account password to the Novell Support site.

Confirm Novell Password

Your Novell account password for confirmation.

6. Optional: Enter the mirror parameters if you want the plug-in to download from a mirror server.

Mirror URL

The URL of your mirror server. It must be a well-formed URL, which contains a protocol and a host name. Leave the field blank to use the Novell mirror servers.

Mirror Username

Your proxy user name if your mirror server requires authentication. It is usually in the form of domain\username.

Mirror Password

Your proxy password if your mirror server requires authentication.

Confirm Mirror Password

Your mirror password for confirmation.

7. Optional: Enter the proxy parameters if the downloads must go through a proxy server.

Proxy URL

The URL of your proxy server. It must be a well-formed URL, which contains a protocol and a host name. The URL is usually the IP address or DNS name of your proxy server and its port, which is separated by a colon. For example: http://192.168.100.10:8080.

Proxy Username

Your proxy user name if your proxy server requires authentication. It is usually in the form of domain\username.

Proxy Password

Your proxy password if your proxy server requires authentication.

Confirm Proxy Password

Your proxy password for confirmation. 8. Click OK. The Take Action dialog displays.

9. Select the target computer on which the download plug-in is to be upgraded. 10. Click OK.

Results

You successfully migrated and upgraded the SUSE download plug-in.

Upgrading the SUSE download plug-in

Use the Manage Download Plug-ins dashboard to upgrade the download plug-in for SUSE Linux.

Procedure

1. From the Patch Management domain, click All Patch Management >

Dashboards> Manage Download Plug-ins dashboard.

3. From the Plug-ins table, select SUSE Plug-in. 4. Click Upgrade. The Take Action dialog displays. 5. Select the target computer.

6. Click OK.

Results

Chapter 3. Custom repositories management

You can set up your custom repositories and Subscription Management Tool (SMT) to manage patches for SUSE Linux Enterprise version 11 and later. This solution allows for multiple repositories and SMTs on the entire deployment.

With the custom repository support, the Fixlets in the Patches for SLE 11 Native

Toolssite can use Zypper to directly download packages from custom repositories instead of going through the Novell Customer Center. Bandwidth throttling is not supported in a custom repository architecture.

Using custom repositories can give you the flexibility to control what can be deployed to the endpoints in your deployment. For example, you can deploy custom software that you are hosting in your custom repositories. Use the Install

packages by using Zyppertask from the Patching Support site to install software that are in your custom repositories. For more information, see “Installing

packages from a custom repository” on page 28.

Integrating your custom repository or SMT solutions is made easy with the use of the SLE Custom Repository Management dashboard.

Differentiating between repository types

The custom support covers both repository and SMT. You can register endpoints to a repository or to an SMT server.

Note: The SLE Custom Repository Management dashboard refers to SMT as one of the repository types for identification purposes only. The dashboard does not affect how SMT works.

Ensure that both types of repository are updated. Actions might fail if the packages are not available.

Repository

This type refers to standard software repositories, which are storage locations that contain a collection of packages and metadata. These repositories can be on online servers, CDs, DVDs, or on other media. The SLE Custom Repository Management dashboard does not add physical repositories; you must do this action separately.

SMT With the SMT, enterprise customers can optimize the management of SUSE Linux Enterprise software updates and subscription entitlements. SMT provides a repository and registration target that is synchronized with the Novell Customer Center.

SLE Custom Repository Management dashboard

Use the SLE Custom Repository Management dashboard to easily integrate your existing custom repository or Subscription Management Tool (SMT) solutions with the IBM Endpoint Manager patch management solution. Only endpoints on SUSE Linux Enterprise Desktop and Linux Enterprise Server versions 11 and 12 are supported in this dashboard.

The SLE Custom Repository Management dashboard allows the Fixlets in the

Patches for SLE 11 Native Toolssite to use Zypper for downloads instead of using the standard IBM Endpoint Manager downloading infrastructure. The dashboard also allows you to register your custom repositories to use the Zypper commands when installing packages on the endpoints.

To access the dashboard, subscribe to the Patching Support site. From the Patch Management domain, click All Patch Management > Dashboards > SLE Custom

Repository Management. Activate the Repository Configuration - SUSE Linux

Enterpriseanalysis to view the content in the dashboard.

Important: Your custom repositories must be pre-configured with the required metadata and headers before you use the dashboard.

Use the SLE Custom Repository Management dashboard to perform the following actions for patch management:

v _{Register and unregister endpoints to a repository (custom repositories or SMT} servers)

Note: The SLE Custom Repository Management dashboard does not support the creation of a physical repository server or SMT. You must create the repository separately. For more information about creating repositories, see the following resources:

v _{SUSE Linux Enterprise Desktop 11 SP3 Deployment Guide at https://} www.suse.com/documentation/sled11/book_sle_deployment/data/ sec_y2_sw_instsource.html

v _{SUSE Linux Enterprise Server 11 SP3 Deployment Guide at https://www.suse.com/} documentation/sles11/book_sle_deployment/data/sec_y2_sw_instsource.html v _{SUSE Linux Enterprise Desktop 12 Deployment Guideat https://www.suse.com/}

documentation/sled-12/book_sle_deployment/data/book_sle_deployment.html v _{SUSE Linux Enterprise Server 12 Deployment Guide at https://www.suse.com/}

documentation/sles-12/book_sle_deployment/data/book_sle_deployment.html

Adding a repository or SMT

Add a custom repository or a Subscription Management Tool (SMT) server into the dashboard repository list so that you can register and connect it to endpoints.

Before you begin

v _{Activate the Repository Configuration - SUSE Linux Enterprise analysis.} v _{Run the Enable custom repository support - SUSE Linux Enterprise task.}

Procedure

1. From the SLE Custom Repository Management dashboard, click the

Repositoriestab.

2. Click Add.

3. From the Add a New Repository dialog, select the repository type that you want to add.

Note: Ensure that the repository settings match the repository server configuration.

v _{If you are adding a standard repository, enter values for the following fields:} – Repository Name

– Repository URL

v _{If you are adding an SMT server, enter values for the following fields:} – SMT Server Name

– SMT Server URL

– clientSetup4SMT script URL

Note: When you enter the SMT Server URL, the clientSetup4SMT script URL is generated automatically. This script is provided with SMT to configure

endpoints to use the SMT server or to reconfigure it to use a different SMT server.

Figure 8. Adding a repository

4. Click Save.

What to do next

To connect the added repository to an endpoint, see “Registering endpoints to a repository or SMT.”

If you want to add all the known existing repositories of an endpoint, both SMTs and standard repositories, to the dashboard list, use the Import feature. For more information, see “Importing repositories or SMTs” on page 27.

Registering endpoints to a repository or SMT

Use the SLE Custom Repository Management dashboard to connect your repositories and SMTs to endpoints.

Before you begin

v _{Ensure that the repository settings match the repository server configuration.} v _{Activate the Repository Configuration - SUSE Linux Enterprise analysis.} v _{Run the Enable custom repository support - SUSE Linux Enterprise task.}

Procedure

1. From the SLE Custom Repository Management dashboard, click the

Endpointstab.

2. Select the endpoints that you want to register to a repository or SMT from the first table. The repositories or SMTs of the selected endpoints are listed in the second table.

Note: When a repository is named as unspecified, it means that it is not listed in the Repository list of the dashboard.

3. Click Register a new repository.

4. From the Register a New Repository dialog, select a repository or an SMT and click Next.

Note: An endpoint can be registered to only one SMT at a time. If an endpoint is already registered to an SMT, registering a different SMT overrides the registration with the existing SMT.

v _{If you selected a repository, you can add more configuration information} from the available options.

Probe given URI

Enable autorefresh of the repository

Automatically refreshes the repository before reading the metadata from the database.

Additional Fields

Use the field to add more configuration information for the

repository. For example, if you use a repository that is not a mirror of the vendor site, enter gpgcheck=0 to prevent a patch from failing because the files cannot be opened.

v _{If you selected an SMT, enter the location of the clientSetup4SMT Script.} 5. Click Save. This information is saved in the Zypper configuration files. 6. From the Take Action dialog, select the computers and click OK to deploy the

action.

Unregistering endpoints from a repository or SMT

Use the SLE Custom Repository Management dashboard to unregister endpoints from repositories or SMTs that are no longer relevant.

Before you begin

v _{Activate the Repository Configuration - SUSE Linux Enterprise analysis.} v _{Run the Enable custom repository support - SUSE Linux Enterprise task.}

About this task

When you unregister a repository, the Zypper services and repositories from the endpoint that you selected are removed.

The Zypper configuration file is not deleted, but disabled when an endpoint is unregistered from a standard or SMT repository.

If you unregister an endpoint from an SMT repository, you must log in to the SMT server and delete the selected computer manually.

Procedure

1. From the SLE Custom Repository Management dashboard, click the

Endpointstab.

2. Select the endpoints that you want to unregister a repository from. 3. Click Unregister a new repository.

4. From the Unregister a New Repository dialog, select a repository and click

Save.

5. From the Take Action dialog, select the computers and click OK to deploy the action.

Deleting repositories or SMTs

To manage the dashboard repository list more easily, delete the repositories or SMTs that no longer exist in your deployment.

About this task

Procedure

1. From the SLE Custom Repository Management dashboard, click the

Repositoriestab.

2. Select the repositories that you want to delete and click Delete. A delete confirmation dialog displays.

3. Click Yes to confirm and proceed with the deletion of the selected repositories.

Results

The selected repositories are removed from the list.

Importing repositories or SMTs

Use the Import feature of the SLE Custom Repository Management dashboard to add all the known existing repositories of an endpoint to the list of repositories in the dashboard.

Before you begin

Activate the Repository Configuration - SUSE Linux Enterprise analysis.

Procedure

1. From the SLE Custom Repository Management dashboard, click the

Repositoriestab. 2. Click Import.

3. From the Import Existing Repositories dialog, select the repositories or SMTs that you want to add in the dashboard repository list.

4. Enter a name for the repository. 5. Click Save.

Results

Installing packages from a custom repository

IBM Endpoint Manager provides a task to easily install and update packages on SUSE Linux Enterprise version 11 and later endpoints that are registered to custom repositories.

Before you begin

v _{Subscribe to the Patching Support site to access the installation task named as}

Install packages by using zypper.

v _{Configure a custom repository from the SLE Custom Repository Management} dashboard. For more information, see Chapter 3, “Custom repositories

management,” on page 21.

v _{Ensure that the configured repository is up-to-date and contains the required} packages and metadata.

About this task

Use the Install packages by using zypper task to install or update the packages on endpoints.

You can use the package name or Common Vulnerabilities and Exposures (CVE) ID number to specify the selected packages for installation.

You can also update all the installed packages on the endpoint with later available versions that are in your custom repository.

The Zypper commands for each of the available actions are as follows:

zypper install <package_name1> <package_name2>

Updates or installs a package with a specific name. Multiple package update or installation is acceptable. Use a space to separate the package names.

zypper update

Updates all the installed packages on the endpoint.

zypper patch --cve=<cve_number>

Updates a package with a specific CVE ID number. The task fails if no CVE ID number is specified and it only accepts a single CVE reference.

This action requires Zypper version 1.5.3-3.2.

Command options are supported as extra flags for the zypper install and zypper updatecommands only. For detailed usage information, see the zypper man page.

This task also provides actions to test the packages for installation, without installing the packages on the endpoints.

Procedure

1. From the Patch Management domain, click All Patch Management > Fixlets

and Tasks.

2. Select the Install packages by using zypper task to install custom packages on endpoints.

3. In the Task pane, review the description and follow the instructions in the Actions box to deploy an action.

Note: To update all installed packages on the endpoint, select the action to install packages, but do not specify any package name.

5. In the Take Action pane, select the endpoints on which the packages are to be installed or updated.

Chapter 4. Using Patch Management for SUSE Linux

Enterprise

Use the Fixlets on the Linux RPM Patching and the various Patches for SUSE Linux Enterprise Fixlet sites to apply patches to your deployment.

For information about the available Fixlet sites for SUSE Linux Enterprise, see “Supported platforms and updates” on page 2.

Patch content caching must be done through the download plug-in unless you are using an air-gapped environment or a custom repository. For more information, see the following topics:

v _{Download plug-in registration} v _{Download cacher}

IBM Endpoint Manager provides several different methods to manage patches for SUSE Linux Enterprise. For more information, see “Patching methods” on page 5.

Patching using Fixlets

You can apply SUSE Linux patches to your deployment by using the Fixlets on the Linux RPM Patching and Patches for SLE sites.

Before you begin

v _{Register the SUSE download plug-in. For more information about download} plug-ins, see Download plug-ins.

v _{Subscribe to the appropriate sites.}

v _{Activate the necessary analysis from the subscribed sites.}

v _{If you are not using the Patches for SLE 11 Native Tools site to patch your} systems, activate the Endpoint Dependency Resolution - Deployment Results analysis to view the patch deployment results. For more information, see “Viewing deployment results” on page 35.

v _{If you are using the Patches for SLE 11 Native Tools site to patch your systems,} run the Install expect task (ID #101) to install the expect utility on systems that are configured with the Zypper utility.

Note: This only applies to the endpoints that do not have the expect utility installed.

About this task

The possible actions that you can make on a Fixlet depend on the patch type. For example, patch Fixlets provide an option to deploy a test run prior to applying the patch. Kernel updates provide the option to upgrade or install all kernel packages. The default behavior for kernel updates is to install packages side by side.

Additionally, each kernel update Fixlet provides the ability to test each of these options.

Procedure

1. From the Patch Management domain, click OS Vendors > SUSE Linux

Enterprise, and navigate to the patch content using the domain nodes.

2. In the content that is displayed in the list panel, select the Fixlet that you want to deploy. The Fixlet opens in the work area.

3. Click the tabs at the top of the window to review details about the Fixlet. 4. Click Take Action to deploy the Fixlet.

v _{You can deploy a test run prior to applying the patch. View the Deployment}

Resultsanalysis to determine if the dependencies have been successfully resolved and if an installation is successful.

v _{You can view the Novell bulletin for a particular Fixlet, select the Click here}

You can also click the appropriate link in the Actions box 5. You can set more parameters in the Take Action dialog.

For detailed information about setting parameters with the Take Action dialog, see the IBM Endpoint Manager Console Operator's Guide.

6. Click OK.

7. Enter your Private Key Password when necessary.

Viewing deployment results

The results of a successful action for Fixlet content with endpoint dependency resolution are written in a log file on the endpoint. You must activate an analysis to view the results.

Procedure

1. From the Patch Management domain, click OS Vendors > SUSE Linux

Enterprise.

2. Navigate to the analysis by clicking the Analyses node and select Endpoint

3. Click Activate.

4. Click the Results tab in the Analysis window that is displayed after you activate the analysis.

Figure 16. Analyses in the navigation tree

5. Optional: You can limit the length of the output by running the Endpoint

Dependency Resolution – Set deployment results analysis report lengthtask. To access this task, click OS Vendors > SUSE Linux Enterprise >

Configuration.

Note: The default analysis report length is 100 entries.

What to do next

When you review the properties of an endpoint, you can view the current deployment information on that system. To view this data, navigate on the All

Contentdomain and select the Computers node. Select the computer that you want to inspect in the work area. Scroll down to the Deployment Results.

Manage Preference Lists

Preference lists are lists of packages that affect the dependencies that are installed for systems patched by content with endpoint dependency resolution.

Preference lists have the following characteristics:

v _{Packages included in forbidden preference lists are forbidden when dependencies} are resolved.

v _{Packages included in preferred preference lists are preferred over packages not in} the list when dependencies are resolved.

v _{Packages included higher in the preference lists are preferred over packages} lower in the lists. You can manage these preference lists by using the Preference Lists Dashboard.

Using the Preference Lists Dashboard

Use the Preference List Dashboard to create preference lists. Figure 18. Results tab

You can navigate to the dashboard by expanding the Linux RPM Patching node and selecting the Endpoint Dependency Resolution - Preference Lists dashboard.

To create new Forbidden package lists, click New Forbidden Package List.

In the next dialog, you select a site for the preference lists. Endpoints subscribed to this site are relevant to this preference list. Choose a site and click next.

Figure 20. Endpoint Dependency Resolution - Preference Lists dashboard in the navigation tree

After entering a name for the list, you can begin populating your preference list with packages. Type the name in the Package to Add field and click Add. As you type, autocomplete suggestions are shown. These suggestions are populated using target packages from the selected site. After completing your list, click Save, click

OK, and enter your Private Key Password. A task that deploys this preference list

is displayed in the navigation tree.

To edit a preference list, click edit for that particular list. Figure 22. Create new Forbidden Package List

This opens the same dialog as before and allows you to edit the name and packages in the list. Click Save. To edit the task, click Edit. To redeploy the latest version of this list to all systems that already have the list, click Edit and Redeploy. Then click OK and enter your Private Key Password.

To create a copy of a preference list, click copy for that particular list.

A dialog is created with a nearly identical set of data populated throughout the fields. The Name field has the word copy at the end. Click Save to create the new task. To delete a preference list, click delete for that particular list.

Figure 24. Edit button

Figure 25. Edit dialog

To delete the task, click Delete. To delete the task and issue an action to remove the preference list from all endpoints that have the list, click Delete and Update.

Preferred package lists can be created and managed in the same way as forbidden packages lists. The controls are listed under the Preferred Package Lists tab of the Preference Lists Dashboard.

Packages are ordered from top to bottom in preference lists. Drag and drop packages to specify priority.

Figure 27. Delete button

Figure 28. Delete dialog

You can view deployed preference lists and their associated metadata by activating an analysis. Navigate to the analysis by clicking the Analyses node and selecting

Endpoint Dependency Resolution - Preference Lists. Click the analysis and select Activate from the right-click menu.

Click the Results tab in the Analysis window that is displayed after you activate the analysis.

Figure 30. Sort priority

When you review an endpoint's properties, you can view the current preference list information on that system.

To remove a preference list from an endpoint, run either the Remove Endpoint

Dependency Resolution – Remove preferred list or the Remove Endpoint Dependency Resolution – Remove forbidden list tasks.

Retrieving installed RPM package information

The list of installed RPM packages on SUSE Linux Enterprise endpoints can be retrieved by activating analysis on the IBM Endpoint Manager console.

About this task

The Installed RPM Package List - SuSE Linux Enterprise analysis provides the number of packages that are installed and the actual names of the packages. It is available on the Linux RPM Patching site.

Viewing the installed RPM packages from the console helps to reduce the need for a system administrator to log on to the actual endpoints.

Procedure

1. From the Patch Management domain, All Patch Management > Analyses. 2. Click the Installed RPM Package List - SuSE Linux Enterprise analysis. 3. Click Activate.

4. View the package information from the Results tab. Figure 32. Results tab

Chapter 5. SLE Btrfs snapshot management

View and manage SLE Btrfs snapshots from the IBM Endpoint Manager console. Snapshot management uses Snapper's ability to roll back Btrfs file system

snapshots. This feature works with SUSE Linux Enterprise version 11 SP2 and later.

Btrfs is a new copy-on-write file system that supports file system snapshots of subvolumes. Subvolumes can be in the form of one or more separately-mountable file systems within each physical partition. A snapshot is a copy of the state of a subvolume at a certain time. It is essentially a clone of the subvolume. For more information about Snapper, see the SUSE product documentation at

https://www.suse.com/documentation/sles11/book_sle_admin/data/ cha_snapper.html.

Note: For SUSE Linux Enterprise version 11 SP2 systems, snapshots can be taken only if the partitions are subvolumes and contain the snapper configuration.

SLE Btrfs Snapshot Management dashboard overview

Use the SLE Btrfs Snapshot Management dashboard to manage Btrfs file system snapshots for SLE endpoints in your deployment.

Note: You must use IBM Endpoint Manager client version 9.2.1 or later to be able to use this dashboard.

Endpoint Manager provides the SLE Btrfs Snapshot Management dashboard to view the list of Btfrs file system snapshots of an endpoint from the console. The rollback feature allows you to reset the system to the state at which a snapshot was taken.

Consider the following scenario to better understand what the rollback feature does. Patching the application server on the endpoint that hosts your web

application is a good practice. After a typical day of patching, you started noticing some issues with the system. These issues occurred only after a particular patch was deployed. Using the dashboard, you can easily roll back the system to an earlier state that does not have such issues.

To access the dashboard, subscribe to the Patching Support site. From the Patch

Managementdomain, click All Patch Management > Dashboards > SLE Btrfs

Snapshot Management.

Activate the SLE Btrfs Snapshots analysis to retrieve the endpoints and the Btrfs file system snapshot information and display them on the dashboard. This analysis is also used to generate a log, which records the results of the rollbacks that are taken in the SLE Btrfs Snapshot Management dashboard. The log is located in the directory /var/opt/BESClient/EDRDeployData.

The dashboard lists endpoints and their corresponding snapshot history. Each snapshot displays the following metadata:

Snapshot ID

Snapshot Date and Time

Start date and time of the snapshot in coordinated universal time (UTC).

Type The type of snapshot. There are three different types of snapshots: pre, post, and single.

Pre Snapshot Number

This metadata is applicable only to post snapshot type. It specifies the number of the corresponding pre snapshot.

Cleanup

Algorithm to clean up old snapshots. There are three different cleanup algorithms: number, time line, and empty-pre-post.

Description

A description of the snapshot.

Note: Ensure that you provide a meaningful description during the snapshot creation. This helps to identify the purpose of the snapshot.

For information about the snapshot metadata, see the topic about Manually Creating and Managing Snapshots in the SUSE product documentation.

The dashboard also offers filtering options to ease searching by using the computer name.

To enable the rollback feature, ensure that /var/opt/BESClient/* directories are excluded from the snapshots by running the Exclude Client Directories From

Snapshotstask.

Rolling back a snapshot

Use the rollback option in the SLE Btrfs Snapshot Management dashboard to restore endpoints to a previous system state. The rollback feature allows you to reset system files of an endpoint that were not configured correctly by rolling back to a different snapshot.

Before you begin

Ensure that you meet the following requirements:

v _{Use Endpoint Manager server and console version 9.0 or later.} v _{Use Endpoint Manager client version 9.2.1 or later.}

v _{Use SUSE Linux Enterprise Desktop and Server 11 SP2 or later.} v _{Subscribe to the Patching Support site.}

v _{Exclude /var/opt/BESClient/* directories from the snapshots. To exclude data} directories when taking snapshots, run the Exclude Client Directories From

Snapshotstask. This task creates the necessary directories and files to exclude the /var/opt/BESClient/* directories when taking snapshots.

About this task

Consider the following limitations of the rollback feature:

v _{Configuration changes in the directory on the bootloader cannot be rolled back.} v _{Kernel installations require manual deletion of the boot entry for a Kernel.}

Hence, complete rollback is not possible for Kernel installations. v _{Excluded mount points and ext3 file systems cannot be rolled back.}

Procedure

1. From the Patch Management domain, click All Patch Management >

Dashboards> SLE Btrfs Snapshot Management.

2. Select the endpoint whose snapshot history you want to view. 3. Select the snapshot that you want to roll back and click Rollback.

Note: Completely reverting to the pre-snapshot affects the changes made by processes other than YaST or Zypper. Therefore, review the changes between the current system state and a snapshot before starting the rollback.

The Rollback Up To Snapshot window opens.

4. Optional: You can specify file names as additional parameters for the rollback. Click Apply.

Note: If you do not specify any file names, all changed files are restored. 5. From the Take Action window, select the computer and click OK to run the

action.

What to do next

Appendix A. Support

For more information about this product, see the following resources: v _{IBM Knowledge Center}

v _{IBM Endpoint Manager Support site} v _{IBM Endpoint Manager wiki}

v _{Knowledge Base}

Appendix B. Troubleshooting

When problems occur, you can determine what went wrong by viewing messages in the appropriate log files that provide information about how to correct errors.

Log files

The following log files can be found in the client folder in the directory /var/opt/BESClient/EDRDeployData.

EDR_DeploymentResults.txt

Lists the results of the EDR deployment and the Zypper output. The log file indicates if the normal Zypper process is used for either a standard repository or SMT.

register-repo.log

Lists the results of the repository registration action of the SLE Custom Repository Management dashboard.

register-SMT.log

Lists the results of the SMT registration action of the SLE Custom Repository Management dashboard.

unregister-repo.log

Lists the results of the unregister repository action of the SLE Custom Repository Management dashboard.

unregister-SMT.log

Lists the results of the unregister SMT action of the SLE Custom Repository Management dashboard.

snapper_rollback.log

Lists Btrfs snapshot rollback feature that is available from the SLE Btrfs Snapshot Management dashboard.

pkg_upgrade_output.txt

Lists the results of the Check Available Package updates - Solaris 11 task.

Understanding dependency failures

Some dependency requirements cannot be determined by Fixlet relevance. In some cases, multiple levels of dependencies or conflicting third-party packages can prevent the installation of a Fixlet content.

You can manually review these details by using the EDR_DeploymentResults.txt file, which is written locally on an endpoint in the client folder by the EDR Plugin. You can also review the analysis Endpoint Dependency Resolution

-Deployment Results (ID# 14) in the Linux RPM Patching site.

The EDR_DeploymentResults.txt file is a text file that contains several lines for each Fixlet that runs on the system. Each line contains a date or time stamp and the associated Fixlet ID number. The log shows the type and status of the installation, whether or not it was a test run and if it was successful or failed.

If the deployment failed, the log shows the error output from the EDR Plug-in.

Common <type> tag errors found in the

EDR_DeploymentResults.txt

file

The most common <type> tag errors that are found in the

EDR_DeploymentResults.txt file are as follows:

No solution (noSolution)

This error means that the requested target packages cannot be installed on the system, because there are conflicts between the target packages and the existing packages on the system.

Incomplete baseline (incompleteBaseline)

This error might appear if third-party packages are fulfilling dependencies and are not recognized by the resolver.

If the <type>incompleteBaseline</type> tag is found in the

EDR_DeploymentResults.txt file and <name>name of RPM</name> tag is NOT in the /var/opt/BESClient/EDR_UnsupportedPackages.txt file, then you must install the RPM separately.

However, if the RPM is in the EDR_DeploymentResults.txt file, you must downgrade to a version that is supported. You can use the <sanityCheckError> tag from the EDR_DeploymentResults.txt file to identify what version of RPM is supported. You can only proceed with patching the system when the supported RPM version is installed.

Forbidden package list error (packageInForbiddenList)

This error is caused by a package on the target, which is listed in the forbidden package list. You must remove the package from the forbidden package list to successfully run the Fixlet.

Empty solution (EmptySolution)

This error means that the resolver cannot find a solution with the given set of information. For example, the packages that are installed on the system or the packages that it is trying to install. To resolve this error, it is often better to have the system as standard as possible. Installing additional third-party software and removing packages from the base operating system can make this more difficult for the resolver to resolve all dependencies. It is suggested to move toward using the Native Tools site instead.

Bash script error

If you get an error similar to the following error message:

Hard failure exit code ’execute prefetch plug-in’ "/bin/bash" "{parameter "sitefolder"}/ResolveDependencies.sh" ..." (action 159317) Exited with exit code of 2

You must complete the following steps:

1. Open the mentioned bash script and add the following after line 2 of the script:

set -x

logpath=</path/of/your/choice> exec >$logpath 2>&1

2. Deploy the action immediately after you update the script.

This procedure creates the file that is mentioned in the log path, with a line-by-line detailed output for the script.

Issues when the custom repository is not a mirror of the vendor

When you use a custom repository that is not a mirror of the vendor site, it is possible that the default gpgcheck is being done as part of the installation. The GPG signature files might not be included in the repository. The files are not checked for authenticity and might cause the installation to fail.

To resolve this issue, ensure that when you register the endpoints in the SLE Custom Repository Management dashboard, you add gpgcheck=0 to Additional

Fields.

Mirror server is not working

To check whether the issue is due to an incorrect URL or mirror server credentials, check the plugin.ini file in the directory<BES Server directory>/

DownloadPlugins/SuseProtocol.

Novell account lockout

One possible reason for an account lock out is due to invalid credentials.

Ensure that you use the mirror server configuration from Novell when you register or configure the download plug-in. Account lockouts are common but temporary. Contact Novell Support if you get locked out of your account.

Error deploying Fixlets from custom sites

The Fixlet site name is hardcoded in the relevance of the Fixlets because the relevance can only accept one value. When you deploy Fixlets from a custom site, the Fixlets would fail because they are still referencing to the original Fixlet site. To resolve this issue, ensure that your endpoints are subscribed to the original Fixlet site so that they can grab all the relevant site files.

If you do not want to stay subscribed to the original Fixlet site, but be able to deploy custom Fixlets successfully, do the following steps:

1. Make a custom copy of the necessary site files.

Appendix C. Frequently asked questions

To better understand Patch Management for SUSE Linux Enterprise, read the following questions and answers.

What are superseded patches?

Superseded Fixlets are Fixlets that contain outdated packages. If a Fixlet is superseded, then a newer Fixlet exists with newer versions of the

packages. The newer Fixlet ID can be found in the description of the superseded Fixlet.

How do I deal with missing patches?

IBM only provides patches for bulletins that are listed on the Novell website for supported configurations. These bulletins can be found in Novell Patch Finder: Patch Finder

Why is my action reporting back as a failed download?

Make sure you update the download plug-in to the latest version and register it with the correct credentials.

If I have registered the latest plug-ins, why do downloads still fail?

For product versions 8.0.627, upgrade to the latest version of IBM Endpoint Manager to resolve the issue on dynamic downloads whitelist.

For product versions later than 8.0.627, verify your existing download plug-in configuration. Verify that the Novell credentials, proxy settings, and mirror server settings are valid.

What do I do when action reports back with an “EDR Plugin failure, Invalid set of initially installed packages? ”

There is at least one conflict between the packages that exist on the system. The resolver will not work until the conflicting packages are removed.

Why is there XML in the deployment results?

The XML is from the error output of the resolver when the resolver fails to produce a solution. You can look at the description in the “errorType” tag to gain a better understanding of why the failure occurred.

What do I do when the deployment results display a “Dependency Resolver Failure, noSolution? ”

If the resolver finds that there is no solution, the system cannot install all targets and dependencies because of a conflict between these files and the endpoint files.

If the resolver finds that there is no solution, the system cannot install all targets and dependencies because of a conflict between these files and the endpoint files. Dependency graphs are generated every Monday, Wednesday, and Friday.

What do I do when an action reports back with an installation failure?

Check to see if the conflict is caused by a vendor-acquired package. These must be removed for the installation to occur.

Why does the resolver function select a lower priority package over a higher priority one?

The resolver does not select a preferred package if by selecting that